38418bb3a9add1ee37f3cf05e103bb0de301f7d0638e97a8c6255f574f05a369

Analysis

max time kernel
149s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 08:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-08_00a4b9bf706da5947f6e9302037dca5d_cryptolocker.exe
Size

65KB
MD5

00a4b9bf706da5947f6e9302037dca5d
SHA1

6baaeee47d38a967a3805c1853e3f1c97a48e3b0
SHA256

38418bb3a9add1ee37f3cf05e103bb0de301f7d0638e97a8c6255f574f05a369
SHA512

9271cdd50cd35b74aa24a8ff80fc54869d28e820a6569314e10eeda93782613e226fac9d51f0d74018725de6ffcd8771569e1328a3d9659f68ed65c57ea7569c
SSDEEP

1536:o1KhxqwtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZszudnYTjipvF293Wt:aq7tdgI2MyzNORQtOflIwoHNV2XBFV7+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation	hurok.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation	2024-07-08_00a4b9bf706da5947f6e9302037dca5d_cryptolocker.exe

Executes dropped EXE 1 IoCs

pid	Process
2684	hurok.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2684	1128	2024-07-08_00a4b9bf706da5947f6e9302037dca5d_cryptolocker.exe	85
PID 1128 wrote to memory of 2684	1128	2024-07-08_00a4b9bf706da5947f6e9302037dca5d_cryptolocker.exe	85
PID 1128 wrote to memory of 2684	1128	2024-07-08_00a4b9bf706da5947f6e9302037dca5d_cryptolocker.exe	85

C:\Users\Admin\AppData\Local\Temp\2024-07-08_00a4b9bf706da5947f6e9302037dca5d_cryptolocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-08_00a4b9bf706da5947f6e9302037dca5d_cryptolocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Local\Temp\hurok.exe
  "C:\Users\Admin\AppData\Local\Temp\hurok.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hurok.exe

Filesize
66KB

MD5
f93cace1b9d10a0beb1884b42330c487

SHA1
ec99024623abd0514c33547b7663ae50a284b612

SHA256
330c16e1dd709c57c1e90567766287871a99246fc0b49258a45fe856c994cdcc

SHA512
74e96a7d419f8852737d57798e19ad9d5d80c02204b2d279a072cf2fb87abc8221ec45a305c6d1dae376255bd15f3db39e5c3a33478e8b99fa8ea8c1b7214da4

Download Submit
memory/1128-0-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/1128-1-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/1128-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2684-23-0x0000000001F40000-0x0000000001F46000-memory.dmp

Filesize
24KB

Download